

<!DOCTYPE html>
<html class="writer-html5" lang="en" data-content_root="../">
<head>
  <meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />

  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  <title>Passive &mdash; IVRE  documentation</title>
      <link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=80d5e7a1" />
      <link rel="stylesheet" type="text/css" href="../_static/css/theme.css?v=e59714d7" />
      <link rel="stylesheet" type="text/css" href="../_static/graphviz.css?v=4ae1632d" />

  
      <script src="../_static/jquery.js?v=5d32c60e"></script>
      <script src="../_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script>
      <script src="../_static/documentation_options.js?v=5929fcd5"></script>
      <script src="../_static/doctools.js?v=9bcbadda"></script>
      <script src="../_static/sphinx_highlight.js?v=dc90522c"></script>
    <script src="../_static/js/theme.js"></script>
    <link rel="index" title="Index" href="../genindex.html" />
    <link rel="search" title="Search" href="../search.html" />
    <link rel="next" title="Flow" href="flow.html" />
    <link rel="prev" title="Active recon" href="active-recon.html" /> 
</head>

<body class="wy-body-for-nav"> 
  <div class="wy-grid-for-nav">
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search" >

          
          
          <a href="../index.html" class="icon icon-home">
            IVRE
              <img src="../_static/logo.png" class="logo" alt="Logo"/>
          </a>
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../search.html" method="get">
    <input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>
        </div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
              <ul>
<li class="toctree-l1"><a class="reference internal" href="../overview/index.html">Overview</a></li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../install/index.html">Installation</a></li>
</ul>
<ul class="current">
<li class="toctree-l1 current"><a class="reference internal" href="index.html">Usage</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="use-cases.html">Some use cases</a></li>
<li class="toctree-l2"><a class="reference internal" href="active-recon.html">Active recon</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Passive</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#with-zeek">With Zeek</a></li>
<li class="toctree-l3"><a class="reference internal" href="#with-p0f">With p0f</a></li>
<li class="toctree-l3"><a class="reference internal" href="#enjoying-the-results">Enjoying the results</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#cli">CLI</a></li>
<li class="toctree-l4"><a class="reference internal" href="#python-module">Python module</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="flow.html">Flow</a></li>
<li class="toctree-l2"><a class="reference internal" href="web-ui.html">Web User Interface</a></li>
<li class="toctree-l2"><a class="reference internal" href="kibana.html">IVRE with Kibana</a></li>
</ul>
</li>
</ul>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../dev/index.html">Development</a></li>
</ul>
<p class="caption" role="heading"><span class="caption-text">Licenses:</span></p>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../license.html">IVRE: GPL v3</a></li>
<li class="toctree-l1"><a class="reference internal" href="../license-external.html">Licenses for external files</a></li>
</ul>

        </div>
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" >
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../index.html">IVRE</a>
      </nav>

      <div class="wy-nav-content">
        <div class="rst-content">
          <div role="navigation" aria-label="Page navigation">
  <ul class="wy-breadcrumbs">
      <li><a href="../index.html" class="icon icon-home" aria-label="Home"></a></li>
          <li class="breadcrumb-item"><a href="index.html">Usage</a></li>
      <li class="breadcrumb-item active">Passive</li>
      <li class="wy-breadcrumbs-aside">
            <a href="../_sources/usage/passive.rst.txt" rel="nofollow"> View page source</a>
      </li>
  </ul>
  <hr/>
</div>
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
             
  <section id="passive">
<h1>Passive<a class="headerlink" href="#passive" title="Link to this heading"></a></h1>
<section id="with-zeek">
<h2>With Zeek<a class="headerlink" href="#with-zeek" title="Link to this heading"></a></h2>
<p>You need to run <a class="reference external" href="https://www.zeek.org/">Zeek</a> (formerly known as
Bro), version 3.0 minimum (tested with 3.0 and 3.1) with the option
<code class="docutils literal notranslate"><span class="pre">-b</span></code> and the location of the <code class="docutils literal notranslate"><span class="pre">passiverecon/bare.zeek</span></code> file. If you
want to run it on the <code class="docutils literal notranslate"><span class="pre">eth0</span></code> interface, for example, run (replace
<code class="docutils literal notranslate"><span class="pre">/usr/share/ivre</span></code> by the appropriate location; use <code class="docutils literal notranslate"><span class="pre">python</span> <span class="pre">-c</span>
<span class="pre">'import</span> <span class="pre">ivre.config;</span> <span class="pre">print(ivre.config.guess_prefix())'</span></code> if you
cannot find it):</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ mkdir logs
$ sudo LOG_PATH=logs/passiverecon \
&gt;   zeek -b /usr/share/ivre/zeek/ivre/passiverecon/bare.zeek -C -i eth0
</pre></div>
</div>
<p>If you want to run it on the <code class="docutils literal notranslate"><span class="pre">capture</span></code> file (<code class="docutils literal notranslate"><span class="pre">capture</span></code> needs to a
PCAP file), run:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ mkdir logs
$ LOG_PATH=logs/passiverecon \
&gt;   zeek -b /usr/share/ivre/zeek/ivre/passiverecon/bare.zeek -r capture
</pre></div>
</div>
<p>This will produce log files in the <code class="docutils literal notranslate"><span class="pre">logs</span></code> directory. You need to run a
<code class="docutils literal notranslate"><span class="pre">ivre</span> <span class="pre">passivereconworker</span></code> to process these files. You can try:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ ivre passivereconworker --directory=logs
</pre></div>
</div>
<p>This program will not stop by itself. You can <code class="docutils literal notranslate"><span class="pre">kill</span></code> it, it will
stop gently (as soon as it has finished to process the current file).</p>
<p>You can also send the data from <code class="docutils literal notranslate"><span class="pre">zeek</span></code> to the database without using
intermediate files:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ zeek -b /usr/share/ivre/zeek/ivre/passiverecon/bare.zeek [option] \
&gt;   | ivre passiverecon2db
</pre></div>
</div>
</section>
<section id="with-p0f">
<h2>With p0f<a class="headerlink" href="#with-p0f" title="Link to this heading"></a></h2>
<p>You need to install <a class="reference external" href="https://lcamtuf.coredump.cx/p0f3/">p0f v3</a>, and
use it with the option <code class="docutils literal notranslate"><span class="pre">-o</span></code> to produce an output file. Then, provide
that output file to <code class="docutils literal notranslate"><span class="pre">ivre</span> <span class="pre">p0f2db</span></code>.</p>
<p>For now, only <code class="docutils literal notranslate"><span class="pre">syn</span></code> and <code class="docutils literal notranslate"><span class="pre">syn+ack</span></code> modes are supported.</p>
</section>
<section id="enjoying-the-results">
<h2>Enjoying the results<a class="headerlink" href="#enjoying-the-results" title="Link to this heading"></a></h2>
<p>You have several options, depending on what you want to do:</p>
<ul>
<li><p>Command line interfaces (see also <a class="reference internal" href="../overview/screenshots.html#passive-network-analysis"><span class="std std-ref">Passive network analysis</span></a> in the screenshots gallery):</p>
<blockquote>
<div><ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">ivre</span> <span class="pre">ipinfo</span></code> tool, for any passive data.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">ivre</span> <span class="pre">iphost</span></code> tool, for Passive DNS data (see
<a class="reference internal" href="use-cases.html#your-own-passive-dns-service"><span class="std std-ref">Your own Passive DNS service</span></a>).</p></li>
</ul>
</div></blockquote>
</li>
<li><p>Python API: use the <code class="docutils literal notranslate"><span class="pre">db.passive</span></code> object of the <code class="docutils literal notranslate"><span class="pre">ivre.db</span></code> module.</p></li>
<li><p>Web interface:</p>
<blockquote>
<div><ul class="simple">
<li><p>Using <code class="docutils literal notranslate"><span class="pre">ivre</span> <span class="pre">db2view</span></code>, you can create or update a view with
passive data, that can then be accessed by the <code class="docutils literal notranslate"><span class="pre">view</span></code> purpose
(see <a class="reference internal" href="../overview/principles.html#purposes"><span class="std std-ref">Purposes</span></a>), which includes the
<a class="reference internal" href="web-ui.html#web-user-interface"><span class="std std-ref">Web User Interface</span></a>.</p></li>
</ul>
</div></blockquote>
</li>
</ul>
<section id="cli">
<h3>CLI<a class="headerlink" href="#cli" title="Link to this heading"></a></h3>
<p>To show everything stored about an IP address or a network:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ ivre ipinfo 1.2.3.4
$ ivre ipinfo 1.2.3.0/24
</pre></div>
</div>
<p>See the output of <code class="docutils literal notranslate"><span class="pre">ivre</span> <span class="pre">help</span> <span class="pre">ipinfo</span></code> and <code class="docutils literal notranslate"><span class="pre">ivre</span> <span class="pre">help</span> <span class="pre">iphost</span></code>.</p>
</section>
<section id="python-module">
<h3>Python module<a class="headerlink" href="#python-module" title="Link to this heading"></a></h3>
<p>To use the Python module, run for example:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ python
&gt;&gt;&gt; from ivre.db import db
&gt;&gt;&gt; db.passive.get(db.passive.flt_empty)[0]
</pre></div>
</div>
<p>For more, run <code class="docutils literal notranslate"><span class="pre">help(db.passive)</span></code> from the Python shell.</p>
</section>
</section>
</section>


           </div>
          </div>
          <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
        <a href="active-recon.html" class="btn btn-neutral float-left" title="Active recon" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
        <a href="flow.html" class="btn btn-neutral float-right" title="Flow" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>&#169; Copyright 2011 - 2025, Pierre LALET.</p>
  </div>

  Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
    <a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
    provided by <a href="https://readthedocs.org">Read the Docs</a>.
   

</footer>
        </div>
      </div>
    </section>
  </div>
  <script>
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script> 

</body>
</html>